LCP to become an ISO standard, first ISO meeting in Milan

As announced in a previous post, several ISO members requested last year the launch of a project aiming at the standardization of a DRM technology for digital publications, in particular EPUB 3, and this request was accepted, provided that the target technology would be based on the new Readium LCP industrial standard operated by EDRLab.

This week was organized the first face to face meeting of the new working group, currently composed of 11 experts from different countries. Laurent Le Meur (EDRLab CTO) and Luc Audrain (Hachette Livre) were among them, thanks to the ISO membership of the Syndicat national de l’Edition (SNE) via AFNOR. The meeting was hosted by the UNI (Ente Italiano di Normazione) organization in Milan, and this post is a short memo about this meeting.

There is a common feeling that Readium LCP strikes a good balance between the requirements of most publishers and the needs and demands of end-users. The name of the ISO specification cannot reuse the “Readium” nor the “EPUB” brands, for IP reasons. Therefore, the name chosen for the new technical specification (TS 23078) is “Specification of DRM technology for digital publications”. This title is generic enough to encompass EPUB, which is the first target for this standard, but also PDF (EDRLab is currently working on the LCP protection of PDF files, more soon).

Reuse of the Licensed Content Protection and License Status Document specifications makes consensus among the experts. It is decided that both specifications will be the base of the target ISO specification, with minimal modifications (only wording modifications necessary to conform to ISO style guide). Note that these two specifications have been created separately by their authors because the second (Status Document and API) can be used with licenses other than LCP; nevertheless, the Readium LCP network requires the implementation of both specifications to assure a proper level of management of LCP licenses, so no need here to keep the two separate.

As a reminder the use of the License Status Document API provides the following features:

• The user can return a loan (and therefore loan a new ebook in a public library)
• The user can request a loan extension, if he didn’t have the time to read an ebook he has acquired in a public library.
• The reading app notifies the LCP server associated with a license if it opens a protected publication for the first time.
• The reading app is notified if the license was revoked (or cancelled if never used), and therefore blocks access to the publication. This is a pragmatic way to stop oversharing, i.e. a case where a user puts a protected publication plus his passphrase on the open web.

Taehyun Kim is the CTO of DRM Inside in Korea, a company specialized in DRM implementations. He brings forward that in a few cases, tight constraints to the use of a publication may be required by publishers, that LCP cannot fulfill. He presents to the participants a detailed document on how the user key protection used in LCP can be completed by an additional device key protection.

This “hard” DRM builds on the more “lightweight” DRM we call LCP, with an additional limitation: a license is created for each specific device, and this license cannot be shared between devices; this protection is enforced by an asymmetric encryption of the content encryption key, based on a key-pair generated by the client app on the device. The server can therefore precisely control the number of devices able to open a publication after its acquisition by a given user.

But such a solution has several drawbacks:

• It implies a number of client-server interactions, which require the client device to be online in order to get a working license.
• It disallows “fair sharing” (family, close friends) of the publication.
• It disallows “persistent ownership”: if the provider stops its service, the user cannot anymore move his publication to a new device.

So, what can be the use of such solution which, to be blank, breaks the balance LCP has reached between the needs of publishers (control their content) and those of users (use the content they have acquired without friction)?

One use case could be a publication of high value, where “fair sharing” is not accepted by its publisher, acquisition is for a time limited period and therefore “persistent ownership” is not required. Such a use case can be met in high end education, where digital textbook can be of very high price and acquired for one year only. What EDRLab is convinced that this hardened solution should not be used for standard delivery of e-books, where persistent ownership and frictionless usage are paramount for user acceptance of a DRM.

After discussing the pros and cons of a multi-level solution, the working group decided that the priority was to focus on the standardization of the current LCP protection, which is now deployed gradually on several continents and is the only active alternative to closed / proprietary solutions. But, in order to address the full spectrum of needs expressed by the publishing industry, the specification will later address the proposal made by DRM Inside. The specification will therefore be split into three parts:

• An overview of the different ways to manage digital rights in a standard way, with an introduction to the two next parts;
• The specification of a user key protection, identical to Readium LCP;
• The specification of a device key protection based on part 2.

Taehyun Kim and Laurent Le Meur will be co-editors of the specification.

The WG expects a draft of the two first parts in September 2019, ready for discussion during an ISO meeting in Japan. The third part will be addressed in 2020.

Two extensions of LCP will be discussed before the Japan meeting, both being work items for EDRLab members this year:

• Will the specification address the transparent exchange of user keys for users authenticated on an e-commerce server?
• Will the specification also address the protection of PDF publications?

If you want to be part of this work and have some influence on the upcoming ISO TS 23078 standard, it’s time for your company to become an EDRLab member. Contact us!